Manicode

I just finished updating the OWASP Podcast series RSS/iTunes feed to include OWASP Podcast #5 - an interview with Gary McGraw! You can read the show notes here, download the mp3 file directly here, or subscribe to the OWASP Podcast series RSS Feed here. If you use the iTunes podcast management feature, you can subscribe to the OWASP Podcast series via iTunes here.

The podcast starts with a 30 second introduction from the song "To You Right Now" off the album 100 Feet Above the Ground. Gary performed the mandolin, fiddle, sang backup vocals and produced this album.

Gary did not shy away from any difficult questions in this interview. In fact, he encouraged them. I was very impressed with Gary's courage to dive into controversy - as well as cause it.

If you update your Windows OS with the the MSXML Core Services patch MS08-069 then IE 8 Beta 2 and IE 7 will prevent HTTPOnly cookies from being read by XMLHTTPRequest headers (set-cookie headers only) within IE. As of this writing, IE 8 Beta 2 and IE 7 are the only browsers that truly stop HTTPOnly set-cookie leakage in XMLHTTPRequest headers. However, IE 8 Beta 2 and IE 7 are not the HTTPOnly-support winners, yet. IE 8 beta 2 and IE 7 with MS08-069 still leaks set-cookie2 HTTPOnly cookies in XMLHTTPRequest headers!

FireFox is on track to fix this obscure vector, completely. The FireFox patch for XMLHTTPRequest HTTPOnly protected is marked RESOLVED FIXED and will go live shortly.

Even Safari/Chrome will also see complete set-cookie/set-cookie2 XMLHTTPRequest exposure protection shortly - the patch is complete as of 12/21/08.

Final really obscure note, the OWASP WEBGOAT HTTPOnly lab is broken and does not show IE 8 Beta 2 and IE 7 with ms08-069 as complete in terms of HTTPOnly protection. However, Robert Hansens' HTTPOnly test page now includes set-cookie and set-cookie2 checks for XMLHTTPRequest exposure and should be used until OWASP fixes http://code.google.com/p/webgoat/issues/detail?id=18 .

And most importantly, I updated the OWASP HTTPOnly page to reflect this information.

I just finished publishing OWASP Podcast #4 - an interview with Andrew van der Stock - over the status and future of the OWASP Developers Guide.

You can check out the show notes for OWASP Podcast #4, download the mp3 file directly, subscribe to the RSS feed, or subscribe directly to iTunes.

I 'm really exited to see what Andrew does in the upcoming revision to the OWASP Developers guide. This key OWASP reference is key for all of the "builders" out there is sure to raise the bar and contribute significantly to achieve industry-wide application security excellence. :)

I just finished publishing OWASP Podcast #3 - an interview with Matt Tesauro.

Matt is the OWASP Live CD Project lead. He's also a member of the Global Project and Tools Committee. His interview is about the OWASP Live CD Project history, status and future.

You can check out the show notes for OWASP Podcast #3, download the mp3 file directly, subscribe to the RSS feed, or subscribe directly to iTunes.

I found Matt to be a very motivated and inspired quartermaster for OWASP. I'm certain he will continue to grow the OWASP Live CD project and I look forward to hearing about his progress in the near future.

I just finished publishing OWASP Podcast #2 - an interview with Stephen Craig Evans.

We discussed Stephen's OWASP Summer of Code Project, Securing Webgoat with Mod Security.

You can check out the show notes for OWASP Podcast #2, download the mp3 file directly, subscribe to the RSS feed, or subscribe directly to iTunes.

I found Stephen to be very interesting in his analysis of when WAF deployment is prudent. Although WAF deployment is something I personally think of as a last resort, intelligent discussion and arguments like I heard from Stephen make it tougher for me to dismiss WAF technology outright. Great job, Stephen!

The HTTPOnly crusade grows stronger.

I have victories to report on several fronts regarding the adoption of HTTPOnly, to the point of stopping XMLHTTPRequest.getAllResponseHeaders leakage of HTTPOnly cookies.

The HTTPOnly world was rocked in the Summer of 2007 when the famous HTTPOnly test url at http://ha.ckers.org/httponly.cgi demonstrated that HTTPOnly cookies could be exposed via the JavaScript XMLHTTPRequest (XHR) object through the getAllResponseHeaders function which includes HTTP headers that contain set-cookie headers - even for HTTPOnly cookies.

So even though HTTPOnly cookies stopped JavaScript calls like document.cookie, they did not stop advanced XSS techniques like http://insanesecurity.wordpress.com/2007/08/01/httponly-vs-xmlhttprequest/

The latest and greatest browsers and standards address this issue.

First out the gate, is Internet Explorer. My HTTPOnly hat's off to Microsoft for delivering the first browser to implement defense from the HTTPOnly exposure vector described above. http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx

However, IE did NOT implement protection from set-cookie2 header exposure!! The horror!

I still declare the HTTPOnly browser war active!

Will FireFox deliver the first browser to truly implement complete HTTPOnly in a way that would make the HTTPOnly working group pleased? Could Opera, Safari or Chrome sneak in with a win?

As I mentioned in an earlier post, some of the recent editorial version of the XHR specification at w3c includes clear verbiage that prevents reading of ALL set-cookie/2 headers via getAllResponseHeaders() and getResponseHeader() in a case insensitive way. Nice!

It's the securing of these core RFC's that help make the applications and browsers of tomorrow more secure. Thanks Anne!

PS: As a HTTPOnly bonus, check out Ryan Barnett's blog post on how to add HTTPOnly protection using ModSecurity.